oss-sec mailing list archives
Re: Pointer misuse unziping files with busybox
From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Mon, 26 Oct 2015 16:14:53 -0300
Fix: http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e 2015-10-25 19:34 GMT-03:00 Gustavo Grieco <gustavo.grieco () gmail com>:
Unziping a specially crafted zip file results in a computation of an
invalid
pointer and a crash reading an invalid address. Upstream is taking a look
to it, but in the meantime if someone wants to provide some feedback, it
will be nice. Find an attached a test case to reproduce it. A
complete backtrace in busybox 1.21 (debug) is available here:
$ gdb --args ./busybox_unstripped unzip x.-6170921383890712452
...
(gdb) run
Starting program: /home/g/Code/busybox-1.21.0/busybox_unstripped unzip
x.-6170921383890712452
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Archive: x.-6170921383890712452
inflating: ]3j½r«I K-%Ix
Program received signal SIGSEGV, Segmentation fault.
huft_build (b=b@entry=0x7fffffffd320, n=n@entry=264, s=s@entry=257,
d=d@entry=0x5fa900 <cplens>, e=e@entry=0x5fa8c0 <cplext> "",
t=0x60620000eb08,
t@entry=0x602c0000fe60, m=0x7fffffffd260) at
archival/libarchive/decompress_gunzip.c:441
441 r.e = (unsigned char) e[*p - s]; /*
non-simple--look up
in lists */
(gdb) bt
#0 huft_build (b=b@entry=0x7fffffffd320, n=n@entry=264, s=s@entry=257,
d=d@entry=0x5fa900 <cplens>, e=e@entry=0x5fa8c0 <cplext> "",
t=0x60620000eb08, t@entry=0x602c0000fe60, m=0x7fffffffd260) at
archival/libarchive/decompress_gunzip.c:441
#1 0x0000000000520b52 in inflate_block (state=state@entry=0x602c0000fe00,
e=e@entry=0x602c0000fe83 "") at
archival/libarchive/decompress_gunzip.c:905
#2 0x00000000005222d1 in inflate_get_next_window (state=0x602c0000fe00) at
archival/libarchive/decompress_gunzip.c:947
#3 inflate_unzip_internal (state=state@entry=0x602c0000fe00, in=in@entry
=3,
out=out@entry=4) at archival/libarchive/decompress_gunzip.c:1004
#4 0x0000000000522a6a in inflate_unzip (aux=aux@entry=0x7fffffffdc30,
in=in@entry=3, out=out@entry=4) at
archival/libarchive/decompress_gunzip.c:1048
#5 0x000000000051b255 in unzip_extract (dst_fd=4,
zip_header=0x7fffffffdd50)
at archival/unzip.c:255
#6 unzip_main (argc=<optimized out>, argv=<optimized out>) at
archival/unzip.c:654
#7 0x00000000004088bd in run_applet_no_and_exit
(applet_no=applet_no@entry=328, argv=argv@entry=0x7fffffffe170) at
libbb/appletlib.c:759
#8 0x0000000000408935 in run_applet_and_exit (name=0x7fffffffe4c8 "unzip",
argv=argv@entry=0x7fffffffe170) at libbb/appletlib.c:766
#9 0x0000000000408e7c in busybox_main (argv=0x7fffffffe170) at
libbb/appletlib.c:728
#10 run_applet_and_exit (name=<optimized out>, argv=argv@entry
=0x7fffffffe168)
at libbb/appletlib.c:768
#11 0x0000000000408f65 in main (argc=<optimized out>, argv=0x7fffffffe168)
at
libbb/appletlib.c:823
(gdb) x/i $rip
=> 0x51fb17 <huft_build+2852>: mov (%rdi),%dl
(gdb) info registers
rax 0x0 0
rbx 0x57 87
rcx 0x814a18 8473112
rdx 0x140900 1313024
rsi 0x5fa900 6269184
rdi 0xa04dcc 10505676
rbp 0x10007fff7940 0x10007fff7940
rsp 0x7fffffffc930 0x7fffffffc930
r8 0x7fffffffcb64 140737488341860
r9 0x7fffffffcbe8 140737488341992
r10 0x60620000eb10 105974023121680
r11 0x7fffffffcadc 140737488341724
r12 0x7fffffffd260 140737488343648
r13 0x8 8
r14 0x10007fff7944 17594333493572
r15 0x0 0
rip 0x51fb17 0x51fb17 <huft_build+2852>
eflags 0x10216 [ PF AF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
This issue was discovered with QuickFuzz
Thanks!
Current thread:
- Pointer misuse unziping files with busybox Gustavo Grieco (Oct 25)
- Re: Pointer misuse unziping files with busybox Gustavo Grieco (Oct 26)
- Re: Pointer misuse unziping files with busybox cve-assign (Oct 28)
- Re: Pointer misuse unziping files with busybox Gustavo Grieco (Oct 30)
- Re: Re: Pointer misuse unziping files with busybox Rich Felker (Oct 30)
- Re: Pointer misuse unziping files with busybox cve-assign (Nov 03)